components/*: Forbid write access to root filesystem

Signed-off-by: GitHub <noreply@github.com>

jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet

@@ -169,10 +169,12 @@ function(params) {
       securityContext: if bb._config.privileged then {
         runAsNonRoot: false,
         capabilities: { drop: ['ALL'], add: ['NET_RAW'] },
+        readOnlyRootFilesystem: true,
       } else {
         runAsNonRoot: true,
         runAsUser: 65534,
         allowPrivilegeEscalation: false,
+        readOnlyRootFilesystem: true,
       },
       volumeMounts: [{
         mountPath: '/etc/blackbox_exporter/',
@@ -193,6 +195,7 @@ function(params) {
         runAsNonRoot: true,
         runAsUser: 65534,
         allowPrivilegeEscalation: false,
+        readOnlyRootFilesystem: true,
       },
       terminationMessagePath: '/dev/termination-log',
       terminationMessagePolicy: 'FallbackToLogsOnError',

jsonnet/kube-prometheus/components/grafana.libsonnet

@@ -84,8 +84,9 @@ function(params)
       },
     },
 
-    // FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when
+    // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
-    // https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
+    // 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
+    // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.
     deployment+: {
       spec+: {
         template+: {
@@ -93,6 +94,7 @@ function(params)
             containers: std.map(function(c) c {
               securityContext+: {
                 allowPrivilegeEscalation: false,
+                readOnlyRootFilesystem: true,
               },
             }, super.containers),
           },

jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet

@@ -62,5 +62,6 @@ function(params) {
     runAsGroup: 65532,
     runAsNonRoot: true,
     allowPrivilegeEscalation: false,
+    readOnlyRootFilesystem: true,
   },
 }

jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet

@@ -118,8 +118,9 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
     image: ksm._config.kubeRbacProxyImage,
   }),
 
-  // FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when
+  // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
-  // https://github.com/kubernetes/kube-state-metrics/pull/1668 gets merged.
+  // 'allowPrivilegeEscalation: false' can be deleted when https://github.com/kubernetes/kube-state-metrics/pull/1668 gets merged.
+  // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/kubernetes/kube-state-metrics/pull/1671 gets merged.
   deployment+: {
     spec+: {
       template+: {
@@ -137,6 +138,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
             resources: ksm._config.resources,
             securityContext+: {
               allowPrivilegeEscalation: false,
+              readOnlyRootFilesystem: true,
             },
           }, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf],
         },

jsonnet/kube-prometheus/components/node-exporter.libsonnet

@@ -183,6 +183,7 @@ function(params) {
       resources: ne._config.resources,
       securityContext: {
         allowPrivilegeEscalation: false,
+        readOnlyRootFilesystem: true,
       },
     };
 

jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet

@@ -228,6 +228,7 @@ function(params) {
       ],
       securityContext: {
         allowPrivilegeEscalation: false,
+        readOnlyRootFilesystem: true,
       },
     };
 

jsonnet/kube-prometheus/components/prometheus-operator.libsonnet

@@ -125,11 +125,17 @@ function(params)
       image: po._config.kubeRbacProxyImage,
     }),
 
+    // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
+    // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/prometheus-operator/prometheus-operator/pull/4531 gets merged.
     deployment+: {
       spec+: {
         template+: {
           spec+: {
-            containers+: [kubeRbacProxy],
+            containers: std.map(function(c) c {
+              securityContext+: {
+                readOnlyRootFilesystem: true,
+              },
+            }, super.containers) + [kubeRbacProxy],
           },
         },
       },

manifests/blackboxExporter-deployment.yaml

@@ -43,6 +43,7 @@ spec:
             memory: 20Mi
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 65534
         volumeMounts:
@@ -63,6 +64,7 @@ spec:
             memory: 20Mi
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 65534
         terminationMessagePath: /dev/termination-log
@@ -90,6 +92,7 @@ spec:
             memory: 20Mi
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532

manifests/grafana-deployment.yaml

@@ -47,6 +47,7 @@ spec:
             memory: 100Mi
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /var/lib/grafana
           name: grafana-storage

manifests/kubeStateMetrics-deployment.yaml

@@ -43,6 +43,7 @@ spec:
             memory: 190Mi
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           runAsUser: 65534
       - args:
         - --logtostderr
@@ -63,6 +64,7 @@ spec:
             memory: 20Mi
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
@@ -85,6 +87,7 @@ spec:
             memory: 20Mi
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532

manifests/nodeExporter-daemonset.yaml

@@ -45,6 +45,7 @@ spec:
             memory: 180Mi
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /host/sys
           mountPropagation: HostToContainer
@@ -79,6 +80,7 @@ spec:
             memory: 20Mi
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532

manifests/prometheusAdapter-deployment.yaml

@@ -49,6 +49,7 @@ spec:
             memory: 180Mi
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /tmp
           name: tmpfs

manifests/prometheusOperator-deployment.yaml

@@ -44,6 +44,7 @@ spec:
             memory: 100Mi
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
       - args:
         - --logtostderr
         - --secure-listen-address=:8443
@@ -63,6 +64,7 @@ spec:
             memory: 20Mi
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532